logo

Advisories

Weaknesses

Fixes

Requirements

Compliance

Business information leak - Credit Cards - Dart

Need

Protection of customer credit card data and business information confidentiality

Context

  1. Usage of Dart 2.0 for building scalable and performant applications
  2. Usage of Shelf for managing data persistence and querying in Node.js applications

Description

Insecure Code Example

import 'package:shelf/shelf.dart' as shelf;

class CreditCard {
  String creditCardId;
  String cardNumber;
  String cardHolderName;
  String expiryDate;
  String cvv;
  
  CreditCard({this.creditCardId, this.cardNumber, this.cardHolderName, this.expiryDate, this.cvv});
}

class CreditCardHandler {
  shelf.Response handleRequest(shelf.Request request) {
    var creditCard = CreditCard(
      creditCardId: '1234567890',
      cardNumber: '4111111111111111',
      cardHolderName: 'John Doe',
      expiryDate: '12/2025',
      cvv: '123'
    );

    return shelf.Response.ok(creditCard.creditCardId);
  }
}

The above code demonstrates a Dart backend application using the Shelf framework. In this code, a `CreditCard` class is defined with properties related to credit card information such as `creditCardId`, `cardNumber`, `cardHolderName`, `expiryDate`, and `cvv`. A `CreditCardHandler` class is also defined which includes a `handleRequest` method. This method creates a `CreditCard` object with hard-coded credit card information and returns a response with the `creditCardId`. The vulnerability here is that the `creditCardId` is being exposed in the response. This `creditCardId` could potentially be used to identify and access more sensitive credit card information. Moreover, the method `handleRequest` is not validating the request or checking for any authentication or authorization. This means any client can make a request and receive the `creditCardId`, leading to a business information leak.

Steps

  1. Firstly, ensure that sensitive data such as credit card information is not exposed in any form. This includes not sending such data in responses to requests.
  2. Implement proper access controls to ensure that only authorized users can access sensitive data.
  3. Encrypt sensitive data at rest and in transit. This includes the credit card information.
  4. Use secure methods for storing and transmitting sensitive data. Avoid storing sensitive data in plain text.
  5. Regularly audit your code and systems for security vulnerabilities and fix them promptly.
  6. Implement proper error handling to prevent information leaks through error messages.
  7. Consider using tokenization or other secure methods for handling credit card data, instead of dealing with the actual credit card numbers.

Secure Code Example

import 'package:shelf/shelf.dart' as shelf;
import 'dart:convert';

class CreditCard {
  String creditCardId;
  String cardNumber;
  String cardHolderName;
  String expiryDate;
  String cvv;
  
  CreditCard({this.creditCardId, this.cardNumber, this.cardHolderName, this.expiryDate, this.cvv});

  // Convert CreditCard object into JSON object
  Map<String, dynamic> toJson() => {
    'creditCardId': creditCardId,
    'cardHolderName': cardHolderName,
    'expiryDate': expiryDate,
  };
}

class CreditCardHandler {
  shelf.Response handleRequest(shelf.Request request) {
    var creditCard = CreditCard(
      creditCardId: '1234567890',
      cardNumber: '4111111111111111',
      cardHolderName: 'John Doe',
      expiryDate: '12/2025',
      cvv: '123'
    );

    // Convert CreditCard object into JSON object
    var creditCardJson = jsonEncode(creditCard.toJson());

    return shelf.Response.ok(creditCardJson);
  }
}

The updated code now ensures that sensitive data such as the credit card number and CVV are not exposed in the response to requests. This is achieved by implementing a `toJson()` method in the `CreditCard` class that only includes the `creditCardId`, `cardHolderName`, and `expiryDate` in the JSON object. The `cardNumber` and `cvv` are excluded from the JSON object, thus preventing their exposure. In the `CreditCardHandler` class, the `handleRequest()` method now uses the `toJson()` method to convert the `CreditCard` object into a JSON object before sending it in the response. This ensures that only the necessary data is included in the response, and sensitive data is not exposed. Please note that this is just a basic fix. For a production environment, it is recommended to implement proper access controls, encrypt sensitive data at rest and in transit, use secure methods for storing and transmitting sensitive data, regularly audit your code and systems for security vulnerabilities, implement proper error handling, and consider using tokenization or other secure methods for handling credit card data.

References

  • 217 - Business information leak - Credit Cards

    • Last updated

    2023/09/18